[
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790777#comment-17790777
]
Raymond Huffman commented on CASSANDRA-18875:
---------------------------------------------
[~brandon.williams] Here's a patch for trunk that upgrades to snakeyaml 2.2
https://github.com/apache/cassandra/pull/2941
> Upgrade the snakeyaml library version
> -------------------------------------
>
> Key: CASSANDRA-18875
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
> Project: Cassandra
> Issue Type: Task
> Components: Local/Config
> Reporter: Jai Bheemsen Rao Dhanwada
> Priority: Normal
> Fix For: 5.x
>
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are
> several
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#]
> in this version that can be fixed by upgrading to 2.x version. I understand
> that this is not security issue as cassandra already uses SafeConstructor and
> is not a vulnerability under OWASP, so there are no plans to fix it as per
> CASSANDRA-18122
>
> Cassandra as a open source used and distributed by many enterprise customers
> and also when downloading cassandra as tar and using it external scanners are
> not aware of the implementation of SafeConstructor have no idea if it's
> vulnerable or not.
> Can we consider upgrading the version to 2.x in the next releases as
> snakeyaml is not something that has a large dependency between the major and
> minor versions. I am happy to open a PR for this. Please let me know your
> thoughts on this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
